CVE-2024-36000

Summary

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix missing hugetlb_lock for resv uncharge

There is a recent report on UFFDIO_COPY over hugetlb:

https://lore.kernel.org/all/000000000000ee06de0616177560@google.com/

350: lockdep_assert_held(&hugetlb_lock);

Should be an issue in hugetlb but triggered in an userfault context, where it goes into the unlikely path where two threads modifying the resv map together. Mike has a fix in that path for resv uncharge but it looks like the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd() will update the cgroup pointer, so it requires to be called with the lock held.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux79aa925bf239c234be8586780e482872dc4690dd < 4c806333efea1000a2a9620926f560ad2e1ca7ccaffected
LinuxLinux79aa925bf239c234be8586780e482872dc4690dd < f6c5d21db16a0910152ec8aa9d5a7aed72694505affected
LinuxLinux79aa925bf239c234be8586780e482872dc4690dd < 538faabf31e9c53d8c870d114846fda958a0de10affected
LinuxLinux79aa925bf239c234be8586780e482872dc4690dd < b76b46902c2d0395488c8412e1116c2486cdfcb2affected
LinuxLinuxf87004c0b2bdf0f1066b88795d8e6c1dfad6cea0affected
LinuxLinux5.9.7 < 5.10affected
LinuxLinux5.10affected
LinuxLinux0 < 5.10unaffected
LinuxLinux6.1.91 <= 6.1.*unaffected
LinuxLinux6.6.30 <= 6.6.*unaffected
LinuxLinux6.8.9 <= 6.8.*unaffected
LinuxLinux6.9 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References